隐私政策

Effective date: 2026-04-18

本隐私政策说明MyAutoBudget（"本服务"、"我们"）如何处理您的信息。MyAutoBudget由Josh Jones运营，他是一位位于美国亚利桑那州的独立软件开发者。我们相信透明度，因此本政策以通俗语言撰写，我们坦诚地说明了我们已经构建和尚未构建的内容。

1. 我们收集什么

账户信息: 注册时,我们收集电子邮件地址、显示名称和密码。您的密码以单向加密哈希的形式存储——我们永远不会存储或访问您的明文密码。

您输入的财务数据: 账户、余额、账单、收入来源、分配桶、储蓄目标和类似记录。所有这些数据都由您输入,仅用于提供您注册的预算功能。

Plaid数据（可选）：如果您选择通过我们的Plaid集成连接银行账户，我们会代表您从Plaid接收账户余额、交易数据和账户元数据（如年利率）。Plaid连接为只读——MyAutoBudget无法发起转账、进行付款或以任何方式修改您的银行账户。我们不会接收或存储您的银行登录凭据——这些完全由Plaid根据其自身的隐私政策处理。

服务器和运营日志： 我们维护有限的访问和运营日志（如IP地址、请求时间戳、URL路径和错误信息），以用于安全、可靠性和滥用防止。这些日志保留时间不超过30天。

2. 我们如何使用您的数据

我们使用您的数据来提供服务、维护可靠性和安全性、修复错误并改进预算功能和产品功能。这包括生成您的预算仪表板、运行计算和预测以及发送交易电子邮件(如密码重置链接)。我们不会将您的个人财务数据用于广告、跨用户分析或出售给第三方。

我们可能会生成汇总的、去标识化的运营统计数据（例如错误率、功能使用次数或性能指标）以维护和改进服务。这些统计数据旨在不识别个人用户，且不会出售给第三方。

3. 数据隔离和访问

我们设计本服务使每个用户的财务记录与其他用户的记录隔离。在MyAutoBudget的正常运营过程中，我们不会查看个别用户的财务数据。由于本服务由小型独立提供商运营，运营者对底层基础设施拥有管理访问权限。在合理必要时，可能会访问账户数据，以提供支持、调查已报告的问题、维护或保护服务、遵守法律义务或应对安全事件。当需要与支持相关的访问来处理您报告的特定问题时，我们将在切实可行时做出合理努力通知您。

4. 安全与隐私成熟度

我们希望坦诚地说明我们安全和隐私基础设施的当前成熟度。以下保护措施已实施并处于活跃状态：

• 静止加密 — 敏感财务字段和Plaid访问令牌在写入持久存储之前在应用层进行加密。加密密钥与数据库文件分开存储。
• 自助数据导出 — 您可以随时从个人资料页面以JSON格式下载所有数据的完整副本，无需联系我们。
• 自助账户删除 — 您可以从个人资料页面永久删除您的账户和所有关联数据。删除需要密码确认，并从活动应用程序存储中删除您的身份验证记录、所有会话和用户财务数据。
• 按用户数据隔离 — 每个用户的财务记录在逻辑上与其他用户的记录隔离，我们当前的存储架构将用户财务数据按用户分开。
• 传输中的HTTPS/TLS — 与服务的所有连接都已加密。
• 密码哈希 — 密码使用现代的盐化单向哈希算法存储。
• CSRF保护 — 跨站点请求伪造令牌应用于状态更改请求。
• 会话安全 — 会话令牌在密码学上是随机的，在可配置的时间段后过期。
• 登录速率限制 — 蛮力登录尝试受到限制。

以下保护措施尚未实施：

• 独立安全审计 — 该服务尚未经过正式渗透测试或独立安全审计。

没有任何系统是完全安全的。在决定向服务中输入哪些数据时，请考虑这些限制。

5. 在连接银行账户之前

MyAutoBudget是一款独立的预算工具，处于公开测试版。它不是银行，也未经过独立的安全审计。如果您选择通过Plaid连接金融账户，应该以这种理解进行。您自己银行账户中持有的资金仍然受您银行的条款和保护。MyAutoBudget不提供FDIC或类似的存款保险。

6. 数据共享

我们不出售、出租或与第三方共享您的个人数据用于营销或广告目的。我们仅在以下有限情况下共享数据:

• Plaid（如果您选择加入）——用于检索账户余额、交易数据和负债信息（如信用卡年利率）。Plaid代表您作为数据处理方。请参阅Plaid的隐私政策了解他们如何处理您的银行凭据。
• 电子邮件传送 — 我们使用SMTP电子邮件服务来发送密码重置链接。该服务仅接收您的电子邮件地址和邮件内容。
• 法律义务 ——如果法律、法规、传票或有效的法律程序要求,我们可能会披露数据。

7. 数据保留和删除

在您的账户保持活跃期间，我们会保留您的数据。您可以随时通过个人资料页面永久删除您的账户及相关应用数据，需确认密码。届时我们将从活跃应用存储中移除您的身份验证记录、会话和用户财务数据。我们不会在删除后有意维护用户可访问的长期财务数据备份，但有限的残留数据可能暂时保留在短期日志、基础设施快照或等待正常过期或覆写的系统中。在活跃系统中完成删除后，我们无法恢复您的数据。通过个人资料页面的自助删除会在活跃应用系统中及时处理。如果您通过电子邮件向support@myautobudget.com提交删除请求，我们将在30天内完成。

8. 违规通知

如果我们确认一个安全事件严重损害了您的个人数据，我们将毫不拖延地通知受影响的用户，在可行的情况下在确认后72小时内通知。通知将描述事件的性质、当时了解的数据、我们正在采取的步骤以及在适当的情况下建议的保护措施。

9. 您的数据托管在哪里

本服务运行在两个独立的基础设施层上。应用层托管在美国（洛杉矶 / LAX 地区）的Fly.io基础设施上。您的身份验证数据和加密的财务记录单独存储在Turso托管的 SQLite（libSQL）基础设施上,该设施运行于 Amazon Web Services 的美国西部地区；静态数据在到达 Turso 存储之前在应用层进行加密。Fly.io 的安全实践在其安全文档中有所描述。

10. Cookies和跟踪

我们使用单个严格必要的会话Cookie来保持您的登录状态。我们不使用分析Cookie、广告跟踪器或任何第三方跟踪脚本。我们不参与跨站点跟踪或行为广告。服务的任何页面上都没有第三方像素、标签或SDK。

11. 您的权利

根据您的所在地，您可能享有适用隐私法律赋予的权利（例如，如果您是加利福尼亚州居民，则为CCPA；如果您在欧盟/欧洲经济区，则为GDPR）。这些权利可能包括访问、更正、删除或转移您的数据的权利，或反对某些处理的权利。您可以直接通过个人资料页面行使数据可移植性和账户删除的权利。对于所有其他请求，请发送电子邮件至support@myautobudget.com。我们将在30天内回复。

12. 儿童隐私

本服务不针对18岁以下的个人。我们不会有意收集未成年人的数据。如果我们发现不小心从18岁以下的人收集了数据,我们会立即删除。

13. 对本政策的更改

我们可能不时更新本隐私政策。对于重大变更,我们将在变更生效前至少14天通过电子邮件或服务内的显著通知通知您,并将更新本页面顶部的有效日期。在通知期限后继续使用该服务表示接受修订的政策。

14. 管辖法

本隐私政策受美国亚利桑那州法律管辖。

15. 翻译

本隐私政策可能提供英文以外的其他语言版本。在翻译版本与英文版本之间存在任何冲突或不一致的情况下，英文版本应占优先权。

16. 联系

对本政策、您的数据或隐私问题有疑问？请发送电子邮件至support@myautobudget.com。如需报告疑似安全问题，请发送电子邮件至support@myautobudget.com，主题行为"安全问题"。

Service Availability

MyAutoBudget is currently available only to residents of the United States, Canada, and Mexico. Requests originating from other jurisdictions are blocked at the network layer using IP-based geolocation. If you access the Service from a sanctioned jurisdiction or a jurisdiction outside our service area, we may be required to refuse service and will display a notice to that effect under RFC 7725 (HTTP 451 Unavailable For Legal Reasons).

Categories of Personal Information We Collect

In the last twelve months we have collected the following categories of personal information, as those categories are defined by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Identifiers: your email address, display name, and an internal numeric user ID.
• Commercial information: your subscription status, billing history (processed by our payment processor, Stripe), and coupon redemptions.
• Internet or other similar network activity: the IP address of the devices you use to access the Service, browser user-agent, approximate country / region derived from your IP address, and request timestamps.
• Financial information you choose to enter: accounts, balances, bills, income, transactions, allocations, and goals that you record in the Service. All such fields are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256) with a key controlled by MyAutoBudget.
• Inferences: projections and insights derived algorithmically from the financial data you enter (for example, an ETA for a savings goal). Inferences are regenerated on demand and are not persisted across sessions.

How We Use Personal Information

We use the categories above exclusively to operate, secure, and improve the Service; to process your subscription; to send transactional email (such as password-reset and email-verification messages); and to comply with our legal obligations. We do not use personal information for advertising, for building profiles to sell to third parties, or for any purpose that is not reasonably necessary to deliver the Service you requested.

Sale or Sharing of Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding twelve months, and we have no present intention to do so.

You can record an opt-out of any future sale or sharing in two equally effective ways:

• Enable the checkbox on the Privacy Preferences section of your profile. This records a Do Not Sell or Share My Personal Information election on your account and appends a dated entry to our Consent Log.
• Browse with the Global Privacy Control (GPC) signal enabled in your browser or extension. We honor GPC as a legally-binding opt-out under California Civil Code § 1798.135(b)(1); the first authenticated request we receive with a valid Sec-GPC: 1 header automatically records a Do Not Sell / Share election on your account.

Your Rights as a US Resident

Depending on your state of residence you may have some or all of the following rights with respect to your personal information: the right to know what we have collected about you and how we use it; the right to access a copy of that information in a portable format; the right to correct inaccurate information; the right to delete your information; and the right to opt out of any sale or sharing. The exact scope of these rights depends on your state's statute (CCPA/CPRA for California; CPA for Colorado; CTDPA for Connecticut; UCPA for Utah; VCDPA for Virginia; and similar laws in other states).

You can exercise most of these rights directly in the Service:

• Access / portability: Profile → Download your data produces a JSON export of every record we hold about you.
• Correction: you can edit account identifiers on the Profile page and any financial record through the normal management screens.
• Deletion: the "Delete Account" control on the Profile page permanently removes your account and all associated financial data. We retain a one-way hash of the email address and the original account creation timestamp for the sole purpose of preventing abusive re-creation of free trials; this hash is not reversible and cannot be used to identify you.
• Opt-out of sale or sharing: see the preceding section.

To exercise any right that cannot be exercised through the self-service controls above, email us at privacy@myautobudget.com. We verify requests by requiring that you submit them from the email address of record on the account, and we will respond within forty-five (45) days of receiving a verifiable request as required by California Civil Code § 1798.130. You may designate an authorised agent to submit a request on your behalf; the agent must provide written proof of the designation, and we will in all cases verify the identity of the consumer directly.

Non-discrimination. We will not deny you service, charge you a different price, or provide you a different level or quality of service because you exercised any right under the CCPA, CPRA, or analogous state law.

Service Providers

We disclose personal information only to the following categories of service providers, each of which is bound by a written contract that limits their use of the information to the purpose for which we engaged them:

• Turso — managed SQLite (libSQL) hosting for the authentication database and the per-user financial databases. Turso operates on Amazon Web Services in the United States West region. Data at rest is encrypted at the application layer before it reaches Turso storage.
• Stripe, Inc. — subscription billing and payment processing. We never store your card number, expiry, or CVV; Stripe issues the charge directly and returns only a subscription identifier.
• Plaid Inc. — optional bank-account aggregation for users who choose to link an account. Plaid handles all contact with your financial institution; we receive only the normalised account and transaction data that you elect to share.
• SMTP relay — a transactional-email provider used to send password-reset and email-verification messages. Only your email address and the message body leave our infrastructure.
• Cloudflare, Inc. — DNS, DDoS mitigation, and (optionally) the geo-country header used to determine jurisdiction for service availability.

Global Privacy Control (GPC) & Browser Signals

In addition to honoring explicit opt-outs recorded via the Profile page, MyAutoBudget respects the Sec-GPC HTTP header defined by the Global Privacy Control working group as a legally-binding Do Not Sell / Share opt-out under California Civil Code § 1798.135 and corresponding provisions of the Colorado Privacy Act and Connecticut Data Privacy Act. A browser or browser extension that emits Sec-GPC: 1 on a request from an authenticated session will cause the Service to automatically record a Do Not Sell / Share election on that account; the election is reflected in the Consent Log and persists across future sessions.

We do not respond to the legacy "Do Not Track" browser header because that signal has been deprecated and carries no unambiguous legal meaning. GPC supersedes DNT for this purpose.

California Shine the Light (Civil Code § 1798.83)

We do not share personal information with third parties for their own direct-marketing purposes, so no "Shine the Light" disclosure is required. If this changes, we will update this policy and provide the statutorily-required notice.

California Civil Code § 1789.3 Notice

Under California Civil Code § 1789.3, users of the Service from California are entitled to the following consumer rights notice: the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210 or (916) 445-1254.

Mexico — LFPDPPP

Users in Mexico have rights of Access, Rectification, Cancellation, and Opposition ("ARCO" rights) under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares. The self-service export, edit, and delete controls described above satisfy the Access, Rectification, and Cancellation rights in full. To exercise the right of Opposition or to submit any ARCO request that cannot be satisfied by self-service, email privacy@myautobudget.com.

Canada — PIPEDA & Provincial Equivalents

Canadian users are protected by the Personal Information Protection and Electronic Documents Act and, where applicable, by provincial statutes (Quebec's Law 25, Alberta's PIPA, British Columbia's PIPA). We handle personal information in accordance with the ten Fair Information Principles and will respond to any access or correction request within thirty (30) days as required by section 8 of PIPEDA.

Consent Log & Version History

Each time you create an account, toggle a privacy preference, or transmit a browser-level opt-out signal, we append an immutable row to an internal Consent Log recording the event, the date, and the version of this Privacy Policy and of our Terms of Use in force at that moment. You can review the last ten entries in your own log from the Privacy Preferences section of your profile and request the full record as part of a data-subject access request.

Contact

For any privacy question, data-subject request, or notice of complaint, contact:

MyAutoBudget — Privacy
Email: privacy@myautobudget.com